asked on
Account Lockout - Find App/Process on account
Hi All,
I have an account that is constantly being locked within AD after a password change. On our secondary DC Iooking at the event logs it tells me the first DC is the computer that is causing the lockout. I have looked everywhere on this first DC for where this account is used, but cannot find it. On the first DC within about 30 seconds of unlocking this account I can see an event that states that the particular credentials have been explicitly used. Any idea how I can what app/process is using this account.
I have tried resetting the password back to what it used to be, however the account still gets locked out.
Thanks for your help.
Cheers,
Paul
I have an account that is constantly being locked within AD after a password change. On our secondary DC Iooking at the event logs it tells me the first DC is the computer that is causing the lockout. I have looked everywhere on this first DC for where this account is used, but cannot find it. On the first DC within about 30 seconds of unlocking this account I can see an event that states that the particular credentials have been explicitly used. Any idea how I can what app/process is using this account.
I have tried resetting the password back to what it used to be, however the account still gets locked out.
Thanks for your help.
Cheers,
Paul
* AccountLockoutActive Directory
Last Comment
Zaheer Iqbal
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi,
What is strange is that it states the secondary domain controller is locked. There is no log of this domain controller locking my account. What I can find on my first domain controller is an event ID 4648 that states that the administrator account tried to log onto the second domain controller using this accounts credentials.
Any help would be more than grateful.
Cheers,
Paul
What is strange is that it states the secondary domain controller is locked. There is no log of this domain controller locking my account. What I can find on my first domain controller is an event ID 4648 that states that the administrator account tried to log onto the second domain controller using this accounts credentials.
Any help would be more than grateful.
Cheers,
Paul
Is a account used for a user / support user or is it a service account ?
Do you have any tasks running against that account or any services running as that account ?
Do you have any tasks running against that account or any services running as that account ?
ASKER
Hi,
That's the strange thing, the account in question isn't a service account. I have checked under services and scheduled tasks and it isn't listed there either.
That's the strange thing, the account in question isn't a service account. I have checked under services and scheduled tasks and it isn't listed there either.
ASKER
What I can see periodically on the first controller is an event id 4648, with the account in question. Looks like the administrator is trying to log on using the problem account. In the process Id I get 0x4?
Cheers,
Paul
Cheers,
Paul
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi,
Ok finally cracked it. For some reason it wasn't logging that account lock out on the target controller. It did however log event 4625 which listed the first DC. I checked the logs on the corresponding DC and the time stamps matched the 4648 error, confirming the first DC as the culprit. Account wasn't assigned to any services or scheduled task. Came across this: https://www.morgantechspace.com/2013/07/how-to-clear-windows-cached-credentials.html
and low and behold the problem account had a cached credential. Removed the defunct entry, ensured everything was still running as expected, and hey presto, strange problem fixed.
Thanks for all your help, I will split the points.
Paul
Ok finally cracked it. For some reason it wasn't logging that account lock out on the target controller. It did however log event 4625 which listed the first DC. I checked the logs on the corresponding DC and the time stamps matched the 4648 error, confirming the first DC as the culprit. Account wasn't assigned to any services or scheduled task. Came across this: https://www.morgantechspace.com/2013/07/how-to-clear-windows-cached-credentials.html
and low and behold the problem account had a cached credential. Removed the defunct entry, ensured everything was still running as expected, and hey presto, strange problem fixed.
Thanks for all your help, I will split the points.
Paul
Ah ok yes I remember this. Apologies maybe I miss-read your question I didnt state that you were logging in as the account and then after a while it was getting locked out.
Thanks for the points.
Thanks for the points.
Thanks for this, I have followed the steps provided. On the DC in question with the account in question I can only see event fith failure code 0x12 and not the 0x18 stated in the guide?
Cheers,
Paul